Bug#834064: debcheckout: should rewrite insecure alioth URIs

Thu, 11 Aug 2016 11:27:59 -0700 

Package: devscripts
Version: 2.16.6
Severity: normal
File: /usr/bin/debcheckout
Tags: patch

Dear maintainers,

debcheckout should rewrite insecure alioth URIs to secure ones.  This
protects users from (e.g.) maliciously-inserted debian/rules scripts.
It's especially important in unauthenticated mode.

The attached patch (suitable for git-am(1)) implements this.

-- Package-specific info:

--- /etc/devscripts.conf ---

--- ~/.devscripts ---
DEBCHANGE_FORCE_SAVE_ON_RELEASE=no
DEBRELEASE_UPLOADER=dput
DEBSIGN_KEYID=0x0F56D0553B6D411B
DEB_SIGN_KEYID=0x0F56D0553B6D411B
DEBSIGN_PROGRAM=gpg
RMADISON_DEFAULT_URL=debian,ubuntu
DSCVERIFY_KEYRINGS=~/.gnupg/pubring.kbx
DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc"

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: i386 (i686)

Kernel: Linux 4.5.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages devscripts depends on:
ii  dpkg-dev     1.18.10
ii  libc6        2.23-4
ii  perl         5.22.2-3
pn  python3:any  <none>

Versions of packages devscripts recommends:
ii  apt                         1.3~pre2
ii  at                          3.1.20-1
ii  curl                        7.47.0-1
ii  dctrl-tools                 2.24-2
ii  debian-keyring              2016.07.02
ii  dput                        0.9.6.4
ii  equivs                      2.0.9+nmu1
ii  fakeroot                    1.21-1
ii  file                        1:5.28-4
ii  gnupg                       2.1.14-2
ii  libdistro-info-perl         0.14
ii  libencode-locale-perl       1.05-1
ii  liblwp-protocol-https-perl  6.06-2
ii  libsoap-lite-perl           1.20-1
ii  liburi-perl                 1.71-1
ii  libwww-perl                 6.15-1
ii  licensecheck                3.0.13-1
ii  lintian                     2.5.45
ii  man-db                      2.7.5-1
ii  patch                       2.7.5-1
ii  patchutils                  0.3.4-1
ii  python3-debian              0.1.28
ii  python3-magic               1:5.28-4
ii  sensible-utils              0.0.9
ii  strace                      4.12-3
ii  unzip                       6.0-20
ii  wdiff                       1.2.2-1+b1
ii  wget                        1.18-2
ii  xz-utils                    5.1.1alpha+20120614-2.1

Versions of packages devscripts suggests:
ii  bsd-mailx [mailx]            8.1.2-0.20160123cvs-3
ii  build-essential              12.2
pn  cvs-buildpackage             <none>
pn  devscripts-el                <none>
pn  diffoscope                   <none>
ii  dose-extra                   5.0-3
ii  gnuplot                      5.0.3+dfsg3-7
ii  gpgv                         2.1.14-3
ii  libauthen-sasl-perl          2.1600-1
ii  libfile-desktopentry-perl    0.22-1
ii  libnet-smtp-ssl-perl         1.03-1
pn  libterm-size-perl            <none>
ii  libtimedate-perl             2.3000-2
pn  libyaml-syck-perl            <none>
ii  mozilla-devscripts           0.47
ii  mutt                         1.6.0-1
ii  openssh-client [ssh-client]  1:7.2p2-8
ii  svn-buildpackage             0.8.6
ii  w3m                          0.5.3-29

-- no debconf information

-- 
Sean Whitton

From ccc3d7b1517f99c91c12053804513b3f6d20c910 Mon Sep 17 00:00:00 2001
From: Sean Whitton <spwhit...@spwhitton.name>
Date: Thu, 11 Aug 2016 11:20:28 -0700
Subject: [PATCH] debcheckout: rewrite insecure alioth URIs

---
 debian/changelog       |  3 +++
 scripts/debcheckout.pl | 12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 84c5def..88b5e0d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,9 @@ devscripts (2.16.7) UNRELEASED; urgency=medium
   [ Christoph Berg ]
   * origtargz: Fix unpacking of tarballs found in --path.
 
+  [ Sean Whitton ]
+  * debcheckout: Rewrite insecure alioth URIs to use HTTPS.
+
  -- Paul Wise <p...@debian.org>  Fri, 15 Jul 2016 22:36:19 +0800
 
 devscripts (2.16.6) unstable; urgency=medium
diff --git a/scripts/debcheckout.pl b/scripts/debcheckout.pl
index e9327bd..a998096 100755
--- a/scripts/debcheckout.pl
+++ b/scripts/debcheckout.pl
@@ -525,6 +525,17 @@ sub munge_url($$)
     return $repo_url;
 }
 
+# Protect against out-of-date insecure alioth URIs.
+sub secure_url($)
+{
+    my ($repo_url) = @_;
+
+    $repo_url =~ s@^git://(anonscm|git)\.debian\.org/@https://anonscm.debian.org/git/@;
+    $repo_url =~ s@^http://(anonscm|git|hg|svn|arch|bzr)\.debian\.org/@https://anonscm.debian.org/@;
+
+    return $repo_url;
+}
+
 # Checkout a given repository in a given destination directory.
 sub checkout_repo($$$) {
     my ($repo_type, $repo_url, $destdir) = @_;
@@ -1088,6 +1099,7 @@ EOF
 	print "declared $repo_type repository at $repo_url\n";
 	$destdir = $pkg unless length $destdir;
     }
+    $repo_url = secure_url($repo_url);
     my $rc;
     if (@files) {
 	$rc = checkout_files($repo_type, $repo_url, $destdir, $browse_url);
-- 
2.8.1

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devscripts-devel mailing list
devscripts-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel

Reply via email to